If your CI/CD pipeline ran Trivy between Thursday and Friday, assume your credentials belong to someone else now. The widely-used vulnerability scanner was compromised in a supply chain attack that poisoned 75 of 76 version tags, turning a security tool into a credential vacuum.

The message from Trivy maintainer Itay Shakury was blunt: “If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately.”

What Trivy Is (And Why This Matters)

Trivy is an open-source vulnerability scanner maintained by Aqua Security. Developers use it to detect security flaws and accidentally exposed credentials in container images, Kubernetes deployments, and CI/CD pipelines. With 33,200 GitHub stars and over 10,000 workflow files referencing its GitHub Action, it’s infrastructure that thousands of organizations trust implicitly.

That trust was exploited.

How the Attack Worked

Starting at 17:43 UTC on March 19, attackers used stolen credentials to force-push malicious commits to the aquasecurity/trivy-action repository. Force-pushing overrides Git’s normal safety mechanisms, allowing the attackers to rewrite history.

They didn’t create new releases. They retroactively poisoned existing version tags — including widely-used references like @0.34.2, @0.33.0, and @0.18.0. Only version @0.35.0 remained clean.

When a CI/CD pipeline referenced one of these tags, it pulled the malicious code automatically. The malware ran first, harvested credentials, then executed the legitimate Trivy scanner. Pipelines completed normally. No red flags.

What Got Stolen

The malware was thorough. According to analysis by Socket, Wiz, and CrowdStrike, it targeted:

  • GitHub tokens and Personal Access Tokens
  • Cloud credentials (AWS, GCP, Azure)
  • SSH keys and Kubernetes service account tokens
  • Database credentials (PostgreSQL, MySQL, MongoDB, Redis)
  • Docker registry configurations
  • TLS private keys and VPN configurations
  • Cryptocurrency wallet files
  • Shell history and system files

The malware even scraped process memory on GitHub Actions runners, extracting secrets that were never written to disk. Collected data was encrypted with AES-256-CBC and exfiltrated to scan.aquasecurtiy[.]org — a typosquatted domain mimicking Aqua Security’s legitimate site.

If the primary exfiltration failed, the malware created a public repository named tpcp-docs under the victim’s GitHub account and uploaded the stolen data there.

A Second Breach, Same Root Cause

This wasn’t Trivy’s first compromise in March. In late February, an autonomous bot called hackerbot-claw exploited a GitHub Actions misconfiguration to steal a privileged access token. Aqua Security rotated credentials after that incident — but the rotation wasn’t comprehensive.

Attackers retained access. The March 19 attack used credentials that survived the incomplete cleanup.

“We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens,” Shakury acknowledged.

What Organizations Need to Do Now

The remediation checklist is straightforward but labor-intensive:

Verify versions. Update to known-safe releases: Trivy binary v0.69.2 or v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6.

Rotate all pipeline secrets. API keys, deploy tokens, cloud credentials — everything that touched a compromised workflow. This is the painful part.

Check for exfiltration artifacts. Search your GitHub organizations for repositories named tpcp-docs. If one exists, your data was stolen.

Pin Actions to commit hashes. Version tags are mutable. Full SHA hashes are not. “Pin GitHub Actions to full SHA hashes, not version tags,” Wiz researcher Rami McCarthy advised. “Version tags can be moved to point at malicious commits, as demonstrated in this attack.”

The malicious Trivy release (v0.69.4) was live for approximately three hours. The poisoned GitHub Actions tags remained active for up to 12 hours.

Aqua Security’s advisory notes that the threat actor “has pivoted beyond the initial CI/CD compromise and is actively weaponizing stolen credentials across the broader ecosystem.” This is not a contained incident.

The weekend ahead will be long for administrators. But credential rotation beats explaining a breach later.

Sources